>Date: Sun, 06 Aug 2000 18:55:41 -0500
>To: "Brian Kotek" <[EMAIL PROTECTED]>
>From: Daryl Banttari <[EMAIL PROTECTED]>
>Subject: RE: [KCFusion] Link to article about CF tips
>
>Brian,
>
>It's not "users" I'm worried about. A couple of weeks ago, I was
>reviewing code for a site where they passed the file name of a file to
>mail to a user in a hidden <input> field... They said that since the user
>doesn't see that, they're safe, right?
>
>I saved the HTML output to disk, made the action URL non-relative and
>specified a file /no user/ should be downloading, pulled up my local copy,
>and clicked submit. They were quite surprised at the results.
>
>A plague of the Web industry -- and ColdFusion code in particular -- is
>the lack of attention paid to security issues. If I had a nickel for
>every time I see someone passing unchecked vars into forms, I wouldn't
>have to work :-)
>
>I would have been much happier with your examples if they included the
>code to check the variables and ensure no form hacking has
>occurred. Honestly, I consider posting examples this (powerful |
>dangerous) without including the code to make it safe [/in/ the example]
>rather irresponsible. That way, when programmers not as clever as you
>copy and paste the code into their apps, it happens safely.
>
>'If you are that concerned about someone posting malformed FORM values you
>could always check the variable's contents prior to executing the query.'
>...All ColdFusion programmers should be 'that concerned'!
>
>Please don't consider this a flame-- if we were meeting in person, I would
>be using the same tone of voice. I'm /very/ concerned about the security
>problems left in ColdFusion code on a regular basis. (It's giving
>ColdFusion a bad name in the security industry-- I've actually heard
>objections to using ColdFusion because of the security weaknesses 'in
>ColdFusion' when it's bad site programming to blame.)
>
>Sincerely,
>
>Daryl Banttari
>
>At 06:20 PM 8/6/2000 -0400, Brian Kotek wrote:
>>Can you be more specific...what do you disagree with? If you are referring
>>to using FORM variables in your query, please note that the form value is
>>not a text input but a checkbox, where the user has no power to change the
>>form value. If you are that concerned about someone posting malformed FORM
>>values you could always check the variable's contents prior to executing the
>>query.
>>
>>You might also notice that I cover cross-site scripting and URL/FORM
>>variable hacking on its own page.
>>
>>Other than that I can't see what you are concerned about.
>>
>>Thanks,
>>
>>Brian
>>
>>
>>-----Original Message-----
>>From: Daryl Banttari [mailto:[EMAIL PROTECTED]]
>>Sent: Saturday, August 05, 2000 2:44 PM
>>To: [EMAIL PROTECTED]
>>Cc: [EMAIL PROTECTED]
>>Subject: Re: [KCFusion] Link to article about CF tips
>>
>>
>> >At 10:40 AM 8/4/2000 -0500, Keith Purtell wrote:
>> >In case you haven't already seen this article ...
>> >
>> >http://www.builder.com/Programming/ColdFusionTips/print.html
>>
>>Wow... unless you've /seriously/ locked down your database permissions, I
>>wouldn't recommend many of those techniques at all!
>>
>>See the Allaire Security Bulletin ASB99-04, "Multiple SQL Statements in
>>Dynamic Queries", at
>>http://www.allaire.com/handlers/index.cfm?ID=8728&Method=Full
>>
>>Remember to second-guess any article you read. In general, just because it
>>was a neat idea, doesn't necessarily mean its a good idea.
>>
>>Also remember that all generalizations are false ;-)
>>
>>Daryl Banttari
>>Sr. Consultant
>>Allaire Consulting
______________________________________________________________________
The KCFusion.org list and website is hosted by Humankind Systems, Inc.
List Archives........ http://www.mail-archive.com/cf-list@kcfusion.org
Questions, Comments or Glowing Praise.. mailto:[EMAIL PROTECTED]
To Subscribe.................... mailto:[EMAIL PROTECTED]
To Unsubscribe................ mailto:[EMAIL PROTECTED]
